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Who would verify their programs? 


Target verification applications: 


Professional 


— - Research direction 
Mission critical 
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Verification tools 


Programming language 


Boogie 
x86 


Intermediate 
verification language 


Decision procedures 
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Small demo 
CloudMake verification 
IronClad verification 


Demo 


Log 


CloudMake 


Modern make utility 
Functional subset of TypeScript 
exec construct — calls out to compilers, linkers, etc. 


Algorithm correctness 

Formalized as a program in Dafny 
Interpreter for language 
Axioms for exec 

Correctness properties proved 
Parallel builds are correct 
Cache is consistent 
Cached behavior = clean-build behavior 


Demo 


CloudMake [joint work with Maria Christakis and Wolfram Schulte] 


The Ironclad Project: 
Full Verification of Security-Sensitive Services 
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Two ironclad examples: append-only 
audit log and differential privacy 


Differential-privacy database 


Two : append-only 
audit log and differential privacy 


Differential-privacy database 


Database 
Privacy budget remaining | 


Entries cannot be Private data revealed 
removed. only according to policy. 
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Security-sensitive services need 
cryptography, so we built a crypto 
library. 


Specifications are hand-translated from official definitions. 
This is the best we can do, so resulting specs are in TCB. 
Spec reviews increase likelihood of correctness. 


Ironclad apps written in Dafny 
...but standard Dafny toolchain includes large TCB. 


Dafny 


Ironclad apps written in Dafny 
...but standard Dafny toolchain includes large TCB. 


If C# code differs from what's 
passed to Boogie, verification 
results don't apply. 
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Ironclad apps written in Dafny 
...but standard includes large TCB. 


If C# code differs from what's 
passed to Boogie, verification 
results don't apply. 


v d hy The entirety of the .NET 
a runtime is also in the TCB. 
E : 


Our new Dafny compiler substantially 
reduces the TCB. 


BoogieX86 


ie 


Our new Dafny compiler substantially 
reduces the TCB. 


Dafn 
Assembly code is passed to 


Boogie, so verification results 
apply. 
No dependence on 
. .NET runtime — just x86 
BoogieX86 


DafnyCC demo 


DafnyCC features 


Supports large subset of Dafny language: 

— Expressions: add, sub, bitwise, booleans, function 
calls, ... 

— Statements: assignment, if/else, while, ... 

— Types: int, bool, array-of-int, datatypes 

No object-oriented featuers 

Linear scan register allocator 

Not an optimizing compiler! 


"every assembly 
language instruction 


Verve: a verifiably safe OS checked for safety" 
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Boot Loader 


T 


x86 Hardware 


Memory management 


Trusted specification 


Code, Interrupt IO-MMU DMA  General-purpose 
Static fields, table page area memory 
GC info tables 


Nucleus PCI Thread Dafny GC 
private tables contexts stacks heap 
stack | 


Untrusted definitions 


Memo»- KAIn 


&& (forall i:int::(T(i)) 
T(i) && Fi <= i && i < Fk && r1[i] |= NO ABS && 
(IsFwdPtr(gcMemli + 4]) ==> 
Pointer(r2, gcMemli + 4] - 4, r1[i]) 
&& AlignedHeapAddr(i + 4) 
&& word(gcMemli + 4])) 


Nucleus PCI Thread Dafny 
private tables contexts stacks 
stack 
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heap 
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Ironclad progress so far 


e Verve 
* Libraries 
— Big integers and rationals 
— Crypto: SHA-1, SHA-256, HMAC, RSA 
— Utilities for manipulating bytes, words, sequences, arrays 
— Math 
* Divers 
— TPM 
— Network 
* Services 
— Password vault 
— Notary 
— Tinc 
—  Differentially-private database 
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